o 

< 

00 



43 

Oh 



> 

in 

^' 

o 
m 



X 



LA-UR 13-20168 
Security of Decoy-State Protocols for General Photon-Number-Splitting Attacks 

Rolando D. Sommglj and Richard J. Hugheq^ 

Los Alamos National Laboratory, 
Los Alamos, New Mexico 87545, USA 

(Dated: April 19, 2013) 

Decoy-state protocols provide a way to defeat photon-number splitting attacks in quantum cryp- 
tography implemented with weak coherent pulses. We point out that previous security analyses 
of such protocols relied on assumptions about eavesdropping attacks that considered treating each 
pulse equally and independently. We give an example to demonstrate that, without such assump- 
tions, the security parameters of previous decoy- state implementations could be worse than the ones 
claimed. Next we consider more general photon-number splitting attacks, which correlate different 
pulses, and give an estimation procedure for the number of single photon signals with rigorous 
security statements. The impact of our result is that previous analyses of the number of times 
a decoy-state quantum cryptographic system can be reused before it makes a weak key must be 
revised. 
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I. INTRODUCTION: PHOTON NUMBER 

SPLITTING ATTACKS AND DECOY-STATE 

PROTOCOLS 

Quantum key distribution (QKD) [IHl] allows two par- 
ties, Alice and Bob, to establish a common and secret key 
S that is informationally secure; see [5-7J and references 
therein. A widely used setup for QKD is the one sug- 
gested by Bennett and Brassard (BB84) [2j. BB84 is ide- 
ally implemented by preparing and transmitting single- 
photon pulses. Information can be encoded in the state 
of one of two conjugate polarization bases, e.g. verti- 
cal/horizontal or diagonal/antidiagonal. Only those pho- 
tons that were prepared by Alice and detected by Bob in 
the same basis are useful to build a sifted key, which 
forms S after additional steps of information reconcilia- 
tion and privacy amplification. Security follows from the 
inability of faithfully copying quantum information [8j 
and the unavoidable information-disturbance trade-off in 
quantum mechanics. Nevertheless, realistic implementa- 
tions of BB84 use weak coherent photon pulses that could 
involve many photons, avoiding the assumptions made in 
security analyses [9-llJ. Such pulses could be exploited 
by Eve, the eavesdropper, to gain access to the (insecure) 
distributed key using a so-called photon-number splitting 
(PNS) attack p^il3j. In a simple proposed PNS attack. 
Eve measures the number of photons in the pulse, n. If 
n = 1, Eve blocks the pulse. If n > 2, Eve "splits" the 
pulse to obtain a copy of a single photon with the correct 
polarization and keeps it in her quantum memory. Eve 
could then obtain a full copy of S by making measure- 
ments of her photons in the correct polarization bases. 



which are known after a public discussion between Al- 
ice and Bob. Since Alice and Bob cannot measure n, a 
PNS attack may go undetected. Our goal is to provide a 
protocol for secure QKD in the presence of PNS attacks. 

A simple approach to overcome a PNS attack considers 
reducing the probability of multi-photon pulses by reduc- 
ing the coherent-pulse intensities. The drawback with 
this approach is that the probability of creating single- 
photon pulses is also reduced. Then, the rate at which 
bits to build S are sifted is far from optimal [T3l [T4] . 
Another approach is to use decoy states, that allow to 
detect PNS attacks without a substantial reduction on 
the rate of sifted bits if Eve is not present p!5HT7] . In a 
decoy-state protocol (DSP), one of several weak coherent 
sources is randomly selected for each pulse. Such sources 
create pulses of different intensities (mean photon num- 
bers). This gives Alice and Bob a means to estimate /o 
and /i, the number of Bob's detections due to empty and 
single-photon pulses prepared by Alice, in the same basis, 
respectively. The values of /o and /i are important to 
determine l^*!, the length of the secure key. For example, 
in the discussed PNS attack, /i is substantially smaller 
than its value when Eve is not present, and so is l^*!. 

In more detail, we let i^ ^ 1 be the total number 
of pulses prepared by Alice. We first assume that the 
channel is non-adversarial, i.e. no eavesdropping attacks 
are present. If the pulse has a random phase, the number 
of photons it contains is sampled according to the Poisson 
distribution: 



Pn = Pr(n|/i) = e- 



.M" 



(1) 
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where /i is the mean photon number for that source 
and /i < 1 in applications. We let r] be the transmis- 
sion/detection efficiency of the quantum channel shared 
by Alice and Bob. If 6 = 1 (6 = 0) denotes the event 
in which Bob detects a non-empty (empty or vacuum) 



pulse, 



yn = Pr(6 = l|n) 



is the probability of a detection by Bob given that Alice's 
prepared pulse contained n photons, yn is the so-called 
n-photon yield and yn < I due to losses in the channel. 
For n > 1, we may assume 



Vn 



(1-^r, 



which is a good approximation in applications. For n = 
0, ?/o > denotes Bob's detector dark-count rate. The 
total probability of Bob detecting a pulse (in any one 
cycle) is the total yield 

r(/i) = Pr(6 = 1) (2) 

= ^Pr(n|/i)^n 

n>0 

= e-^yo + 1 - e-^^ . 

F(/i) can be estimated by Alice and Bob, via public dis- 
cussion, from the frequency of detections after all pulses 
were transmitted. 

In QKD, we allow Eve to manipulate the parameters 
that characterize the channel at her will. We use the su- 
perscript £ to represent the interaction of Eve with the 
communication. For example, y^ denotes the n-photon 
yield in the presence of Eve. In a general intercept-resend 
attack. Eve may intercept a pulse and resend a different 
one. That is, each detection by Bob is not guaranteed 
to come from the same pulse that Alice prepared. In a 
simple PNS attack. Eve makes non-demolition measure- 
ments of n. With this information. Eve sets yf=0^yi 
and y^ > yn ioT n>2, so that 

Then, if Alice and Bob can only estimate the total yields, 
a PNS attack could be "invisible" with the right choices 
of y2^y§^ . . .. To increase the multi-photon yield. Eve 
may use an ideal channel to resend the pulses. (Note 
that sophisticated PNS attacks that do not change the 
Poisson distribution are possible [I^.) A PNS attack 
allows Eve to have the full key S if 

Pr(n > 2|/i) > Yifi) . 

In this case. Eve possesses a photon with the same po- 
larization as that of the pulse detected by Bob and no 
single-photon pulses are involved in creating S. Only if 
Pr(n > 2|/i) < F(/i) some security guarantees are pos- 
sible [TT|. Such an inequality is satisfied when /i ^ r^, 
implying a rate for sifted bits of order r]'^ [Eq. Q]. This 
is undesirably small {rj <C 1). 

Remarkably, DSPs give an optimal rate of order 77 with 
small resource overheads. A goal in a DSP is to esti- 
mate y^ and ?/f , which provide a lower bound on f^ and 
/f , respectively. Empty and single-photon pulses cannot 



be split and the information carried in their polarization 
cannot be faithfully copied, making them useful to cre- 
ate a secure key. For the estimation, Alice uses photon 
sources with different values of /i, but are identical oth- 
erwise. In a conventional DSP, it is assumed that Eve's 
PNS attack treats every n-photon pulse equally and inde- 
pendently, regardless of its source. That is. Eve's attack 
is simulated by independent and identically distributed 
(i.i.d.) random variables. The total yield in this case is, 
for any given /i. 



Y'{^^) 



n>0 



(3) 



Equation ([3| describes mathematically what we denote 
as the i.i.d. assumption. It follows that 

yf=d^[e^Y'{p)]\^=o. (4) 

Then, if Eve's attack satisfies Y{/j.) ^ Y^{/i) for all /i. 



Vo ^yo ^ yf ^yi=r] . 



That is, by being able to estimate Y^{fi) for two val- 
ues of /i <C 1 via public discussion, Alice and Bob can 
restrict Eve's attack so that the dark-count rate and 
single-photon yield are almost unchanged from the non- 
adversarial case. In addition, if a third source with /j. ^ 1 
is randomly invoked, an optimal key rate of order r] will 
be achieved. 

In reality, the estimation of y^ and yf is subject to 
finite statistics and can be technically involved. Nev- 
ertheless, the i.i.d. assumption in Eq. ([3| allows Alice 
and Bob to gain information about Eve's attack by run- 
ning the protocol and analyzing the (binomial) distribu- 
tions of the detection events for each source. However, 
we remark that if Eve were to correlate her attacks, the 
i.i.d. assumption and the corresponding security analy- 
ses would be invalid. This is the main motivation behind 
our analysis. 

In this paper, we give an example that shows how the 
i.i.d. assumption can be simply bypassed by Eve, re- 
sulting in security parameters that are worse from those 
obtained under the assumption. We then analyze the se- 
curity of DSPs for general PNS attacks. Our main result 
is an estimation procedure that gives a lower bound on 
/(f and /f , with a confidence level that is an input to the 
estimation procedure. Our security analysis does not use 
the i.i.d. assumption and is particularly relevant when 
Eve performs a PNS attack that could correlate different 
pulses in one session or even different sessions. We com- 
pare some results obtained by our estimation procedure 
with those obtained by using the i.i.d. assumption, and 
emphasize the important of our procedure. 



II. THE SECURITY PARAMETER, THE I.I.D. 
ASSUMPTION, AND FINITE STATISTICS 

Of high significance in cryptographic protocols is e, the 
so-cahed security parameter, e measures the deviation of 
a real protocol implementation from an ideal one. We 
use the same definition used in Ref. [7], that states that 
a real QKD protocol is e-secure if it is e-indistinguishable 
from a perfectly secure and ideal one. This definition 
is equivalent to a statement on the trace norm of the 
difference between the quantum states resulting from the 
real and ideal protocol, respectively. It implies that a 
QKD protocol that is e-secure can be safely reused order 
1/e times without compromising its security. 

Usually, one fixes a value for e and then determines the 
size of S based on several protocol performance parame- 
ters. These parameters include the number of pulses sent 
by Alice, the number of pulses detected by Bob, and the 
estimated bit error rates at each mean photon number. 
For DSPs, e has a component eosp that determines the 
confidence level in the estimation of a lower bound of f^ 
and /f , due to finite statistics. 

A possible way to obtain such lower bounds, under the 
i.i.d. assumption, is the one followed in Ref [17^. In this 
case, we consider a DSP with three sources, i = U^V^W. 
The mean photon number in each pulse, for each source, 
is /i^ = 0, /jX <C 1, and /i^ G 0{1). Each source i 
randomly prepares a pulse with probability g* and we let 
K^ be the total number of pulses for that source. K^ 
is known to Alice and Bob by public discussion after all 
pulses are sent and K^ ~ QiK when K ^ 1. We write 
jjz,s £q^ ^]^g random variable that counts the number of 
pulses from source i detected by Bob under the presence 
of Eve [18]. The exact value that D^'^ takes in a ses- 
sion can also be obtained by Alice and Bob via public 
discussion after the pulses were transmitted. 

Under the i.i.d. assumption [Eq. (|3|], D^^^ is sampled 
according to the binomial distribution. Then, D^'^ /K^ 
is an estimator of the total yield Y^{jj.'^) = E[D^'^ /K^]^ 
where E[.] denotes the mean value. That is, for a given 
cdsp, we can establish confidence intervals 

^ + c(e-DSp)cT^'^ > Y^{^') > ^ - c(e-DSp)a^'^ , 

(5) 

with confidence level 1 — eosp- The constant c depends 
on eDSP and can be obtained using Chernoff 's bound [19j 
- see Appendix IB] The standard deviation in this case is 



i,S 



/r^(/i^)(i-r^(/i^)) 



q^K 



(6) 



Using Eq. (|3| for Y'^(/i*), we can search for the minimum 
values of y^dind yf that satisfy Eqs. |5|, e.g. by execut- 
ing a linear program. Both y^ and ?/fcan then be used 
to obtain the desired lower bounds on /q" and /f , respec- 
tively, with corresponding confidence level 1 — eosp • This 
last step also requires using the i.i.d. assumption. 



We remark that Eq. (5| does not properly regard the 
problem of inferring a distribution for Y^ {ji^) from the 
known "^^5 a problem that would require knowledge on 
the prior distribution of Y^{fi'^). 



HI. INCREASING THE LENGTH OF 
CONFIDENCE INTERVALS: AN ATTACK 

The analysis in Sec. [TT|used the i.i.d. assumption that 
resulted in a value for (P^ given by Eq. (IgI). Nevertheless, 
the actual value of <j*'^ could be much higher in more 
general PNS attacks. For the same confidence level, a 
bigger a*'^ implies a "wider" confidence interval for the 
estimation of the yield Y^^ji^) (Appendix p|, and thus 
smaller lower bounds on f^ and /f . The overall result 
in the DSP is a secret key S of smaller size for the same 
security parameter. 

To illustrate how Eve can bypass the i.i.d. assumption, 
we suggest a potential attack that results in almost no 
change for the total yields (i.e., Y{ii^) ^ Y^{fi')) [20j but 
the variances a*'^ are increased with respect to those of 
the binomial distribution [Eq. ^]. The suggested attack 
could be detected by Alice and Bob by estimating the 
variances directly via public discussion. Nevertheless, it 
still shows that a better analysis of the security of DSPs 
is needed to make rigorous claims. 

In the attack. Eve first picks an integer value for r > 1, 
where r^ denotes a scale for a variance or "correlation" 
of a particular distribution. Eve receives all pulses from 
Alice and we let kn be the total number of n-photon 
pulses in the protocol. Note that the exact value of kn is 
known to Eve but not to Alice and Bob. In general, kn 
is sampled according to the binomial distribution 



Pr(^n) = 



(Pn)^^(l-Pn) 



K-kn 



where Pn is the probability of a pulse containing n pho- 
tons: Pn = Xli Q^Pn ' The mean and variance for such 
distribution are 

E[kn] =PnK , 

C^L =Pn{l-Pn)K . 

Given /c^, Eve randomly picks a value for df^ G 
{0, 1 . . . , /Cn}, where df^ = ^^ d^i^ is the total number 
of detections due to n-photon pulses prepared by Alice. 
In particular, we assume that Eve can control d^^ which 
determines the dark-count rate. The distribution associ- 
ated with df^ has the following properties: 



E[d] 



'nl^nj 



2 



yn'^n 1 

T^y„(l - yn)kn ■ 



(7) 



We let dli^ be the number of n-photon pulses, prepared 
by Alice's ith source only, and detected by Bob. The 
exact value of d^^ is unknown to all parties. Because 



Eve does not know the source being used in the DSP, 
dli^ is sampled according to the binomial distribution 
when given d^: 



Fridli'K) 



d^ 



where 



(</;)'" (1 



q^e-^\li^Y 



\dt,-dl: 



The distribution associated with d^^ satisfies 



(8) 



(9) 



a:.,.,_,. =^;(i-g;)^f . 



.2. 



As in SecjlTj we let (a*'^)^ be the variance associated 
with the random variable Z*'^ = D^'^ / K^ ^ where 



D 



i,S 



H^rf, 



(10) 



n>0 



and E[Z^'^] = Y^{ii^). An accurate estimate of Z*'^ 
can be obtained if we approximate K^ ^ (fK^ in the 
limit of large K. In addition, because K is fixed, the 
variables kn are not independent. However, in the large- 
K limit, kn can also be approximated by its mean value. 
It implies that the kn are almost independent and so are 
the d^ and d\f for different values of n. Under these 
appr oximat ions , 



8\2 



(a».-) 



1 



(qiK)- 



n>0 



(11) 



In Appendix \K\ we show that 

[(t^ - 1)'7U1 - Vn) + (1 - qnVnPnWnynPnK . 

(12) 






By inserting Eq. (12) in Eq. (pTj) j^e can obtain the vari- 
ances as a function of r. In Fig. [l] we compute a^'^ and 
a^'^ . The i.i.d. assumption discussed in Sec. |ll| corre- 
sponds to r = 1 - see Appendix [Aj Using these results 
in Eq. ([5| yields wider confidence intervals for the same 
confidence level. 

To illustrate our point further, we consider a simple 
attack in which a single source U is used to estimate the 
dark- count rate. Here, /i^ = and d^ = D^^^ is known. 
In the non- adversarial case, d^ is sampled according to 
the binomial distribution with probability yo and known 
sample size /cq = K^ . Nevertheless, for the correlated 
attack, we assume that Eve "receives" the K^ pulses and 
groups them according to blocks of size r^. Then, Eve 
will force (prevent) the detection of all pulses in any one 
block with probability yo {1 — yo). The random variable 
^Q for the correlated attack satisfies 



£^[4] = yoko , 



2\2 



<4r) = [2/o(r^) 



iVoT^f]-^ = r^yo(l - yo)ko 
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FIG. 1. The standard deviations g ' and g ' for an attack 
in which Eve correlates n-photon pulses according to the value 
of r. The channel parameters are 1 < r < 100, K — 10^°, 
^^ = 0.01, (^ = 0.0275, /i^ = 0, /i^ = 0.063, ry = 10-^ 
and 2/0 = 2.10"^ ^Tj. The results in Sec.^are recovered for 
r = 1. 



and r = 1 corresponds again to the i.i.d. assumption [see 
Eq. 0]. 

In Fig. [2] (A), we plot the probability that Z^'^ = 
D^^^/K^ satisfies 



E[Z 



U,S] 



■ca^s{l)>Z 



u,s 



>E[Z'''']-ca^eil), 



for different values of c and r. For r = 1, such a prob- 
ability corresponds to the confidence level in Eq. ([5]). 
E[Z^'^] = yo in this example. For the inverse problem, 
namely the estimation of yo from D^^^ and K^ ^ Eq. ([5| 
may be incorrect. We may then assume a uniform prior 
distribution for yo G [0, 1], and obtain the posterior dis- 
tribution as 



lU,S\ 



FT{yo\D^^') = FT{D^^'\yo)PT{yo)/FT{D^^') 



U,£\ 



(13) 






J/^2]yo (i-^o) 



(K^-D^'^)/t 



which is plotted in Fig. ^ (B). Our results demonstrate 
that, for a fixed security parameter, the accuracy in the 
estimation of the dark-count rate strongly depends on 
Eve's attack and can be substantially different from the 
one obtained under the i.i.d. assumption (r = 1). 



IV. SECURITY OF DSP: CORRELATED PNS 
ATTACKS 

We go beyond the i.i.d. assumption and study more 
general and correlated PNS attacks, in which Eve has full 
control on Bob's detection events. The secure key-rate 
in a realistic implementation of QKD is [17J 



s > ft + fr - «Eci^^if2(BER) - KPA/rj?2(&r") , 

(14) 

which determines the size of the distributed key as l^*! = 
sK. F^ is the total number of pulses detected by Bob 
and prepared by Alice in the same basis, that are useful 
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FIG. 2. Estimation of dark counts. (A) Confidence intervals 
for different correlated attacks, parametrized by r, and confi- 
dence bounds, parametrized by c. (B) Bayesian estimation of 
7/0, the mean dark-count rate, assuming a uniform prior and 
for different correlated attacks [Eq. (|13|]. 



for the sifted key. In BB84, F^ ^ D^ /2, where D^ is the 
total number of detections. /^* is a lower bound on /^, 
the number of n-photon pulses prepared and detected 
in the same basis. i^2(-) is the Shannon entropy, tv^c 
and i<ipA are coefficients due to the error correction and 
privacy amplification steps, BER is the total bit error 
rate, and b^^^^ is an upper bound to the bit error rate 
due to single-photon pulses only. 

In a DSP, we characterize a general PNS attack by the 
distribution 



Pr(dg, 4,... 1^0,^1,... 



(15) 



See Fig. [3] for an example. Our goal is to build an es- 
timation procedure that places confidence intervals on 
fo = Eifo^ and /f = Ei/i'^ from the known D^'^ . 
These intervals ultimately imply a lower bound on 5 - 
see Eq. ( p^ . 

We assume that there are three sources satisfying 
/i[/ = < /iy < /j^w^ and /j^w ^ ^(1)- Neverthe- 
less, our analysis can be easily generalized to the case in 
which more sources are present, where the estimation is 
more accurate. For each source, Bob's detections satisfy 
Eq. (10). If a simple relationship between each dli^ and 
d^ could be found, we could execute a program to solve 
Eqs. ([lO|. Such a relationship could be obtained from the 
binomial distribution associated with d^^, when given d^ 
[Eq. (§]. 

Our estimation procedure uses d^^ to determine the 
confidence intervals 



^i,nidT) > < > 4>i,nidT) ■ 



n,S\ 



(16) 
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FIG. 3. A general PNS attack with three decoy sources, 
/Ju = 0, /Jv ^ 1, and /Jw ^ ^(1)- Each block represents 
the number of pulses with n = 0,1,2,..., respectively. The 
random variables kn indicate the number of n-photon pulses 
prepared by Alice and the superscript i denotes the source 
used for such pulses. Eve's attack controls the number of 
detections by Bob, due to n-photon pulses, through d^. 



The corresponding confidence level for each inequality is 
1 — en/2. The upper and lower bounds are monotonic 
and invertible functions. Then, 



&di) > dti' > ^-'M) , 



(17) 



with the same confidence levels. Such confidence levels 
do not result from the binomial distribution as we are 
analyzing the inverse problem, namely the estimation of 
df^ from the available information (i.e., D^'^ and K'^). 
From Eqs. (H^ and (pTl), we obtain 



J24>-M)^D-'^J2^^>n); 



(18) 



n>0 



n>0 



See Fig. |4] for an example. 

Next, our estimation procedure executes a program to 
obtain d^* and (if*, the corresponding smallest values of 
(ig and (if, subject to the constraints given by Eqs. (18). 
From the union bound, the confidence level in such values 
is 1 — eDSP, with 



^DSP < 3 2_^ ^n 



(19) 



n>0 



when three sources are used. Since /(f * and /f * are sam- 
pled according to a binomial distribution when given F^ 
(i.e., the preparation and detection basis are random), 
we obtain 



fS* 



?ed^ 



cCSuspJf^^ 



d^* 



(20) 



wher e th e constant c(^dsp) ^ can be obtained using 
Eq. (B3). The overall confidence level for the key rate s 
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FIG. 4. Upper and lower bounds on c^q'^ + d^'^ ~ d^'^. The 
yellow blocks represent the number of pulses from source V 
with n = and n = 1. The dark and blue blocks represent 
the total number of pulses with n = and n = 1, respectively. 
The confidence level for this case is not smaller than 1 — (eo + 
ei). 



and we choose the lower bound so that 







i \2 



" (i-'/J.) 



(26) 



with Cn > 0. The error probability satisfies 

en<2exp{-4/4} ; (27) 

See Appendix |C] A similar analysis gives the upper 
bound 




Mll^ 



" ^ (1 - qir " " 



(28) 






with the same confidence level. Then, to satisfy Eq. p3| ), 
it suffices to set 

4(eDSp) =4|log(eDSp/24) + nlog(l/2)| . 



is 1 — cdsp? where the security parameter satisfies 

cdsp < cdsp + fcsp • (21) 

In the next section we obtain the confidence intervals and 
levels specifically for our method. 



Confidence intervals for the estimation procedure 

Our method takes eosp as input and outputs /q"* and 
/f*. To satisfy Eq. (21), we can set 



and 



c(fosp) = 2V|log(eDSp/2)| 



(eDSp/12)(l/2)^ 



(22) 



(23) 



[see Eqs. (|B3| and (ICT|]. Next, we will find 4* and df* 
as required by Eq. (20). 

If (j) depends on d^i only, the probability that d^ is 
smaller than 6 is 



K 



J2 Pr(rf^) E P<dil'\dn) 



d£=0 



dfi>dn >"i 



2 ' 



(24) 



with 



< = ^z,n«) 



When given d^, the random variable dli^ is sampled ac- 
cording to Eq. (Is]). From Chernoff's bound (Appendix [B|) 



6n< 2 max exp 



[ (< 



« - Qndn? 



\C^-(l'n)di 



(25) 



To complete the estimation procedure, we invert 
Eqs. (I26l) and (l28|) and obtain 



Y, Qndn + C,(eDSp) V^Ul " ^n)^n > ^ 



■)i,S 



(29) 



n>0 



L)*'^ > Y^ q'nd^n - Cn(eDSp)y ^j,(l - qi)di . 



n>0 



We can then execute a program that finds the minimum 
values of d^ and (if subject to Eqs. (29). For instance, a 



quadratic program can be used to searchj/^^^d^. Such 
minimum values will be used in Eqs. (20) and (14) to 
obtain the key rate. 

A technical remark is in order. When n ^ oo, 
(7^(1 — ql^) -^ exponentially fast in n. Then, the contri- 
bution of large-n terms in Eqs. (29) is negligible. We can 
set a suitable cutoff nmax > n in the number of photons 
per pulse in our analysis, to avoid unnecessary compu- 
tational overheads in finding dg* and df*, and with an 
insignificant impact in the estimated values. 



V. CONCLUSIONS 

We analyzed general photon-number splitting attacks 
and pointed out that previous security analyses on decoy- 
state protocols for QKD made a strong assumption on the 
attack. We provided an estimation procedure that sets 
a lower bound on the size of the secure, distributed key, 
with the corresponding confidence levels. Our procedure 



requires executing a program to find the minimum values 
of the number of detections due to empty and single- 
photon pulses, subject to constraints that are determined 
by the results of the protocol and by the desired security 
parameter. It results in rigorous security guarantees even 
if Eve correlates her attack according to the number of 
photons in the pulse. 

We emphasize that our estimation procedure is not 
unique: Any time that a confidence interval can be set 
as a function of publicly available information for gen- 
eral attacks, then an estimation procedure is possible. In 
addition, our choice of confidence intervals and e^ is not 
essential and could be further optimized to improve the 
size of the secure key. 
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Appendix A: Properties of Zf^ 

We let X G {0,1,..., ir} be a random variable 
and f{X) the probability distribution. The random 
variable Y G {0,1,..., i^} has the conditional dis- 
tribution g{Y\X). The probability of Y is h{Y) = 
^^^Qg{Y\X)f{X). Then, it is easy to show 



where 



ay - E[aY\x] ^^E[Y\x] 



Y=0 \Y=0 J 



(Al) 



is the variance of Y. Also, 



K 



E[Y\X]=Y,9{Y\X)Y 



Y=0 

is the expected value of Y when given X, 

K I K y 

'"mvix] = E fiX)E[y\X] - E fiX)E[Y\X] 
x=o \x=o J 



is the variance of £^[y|X], 



y=o \y=o / 



is the variance of Y when given X, and 

K 



^[4ix] = E ^^^y 



2 

Y\X 



x=o 



is the expected value of such a variance. 

In the attack discussed in Sec. |III[ K is fixed and the 
distribution of kn satisfies 

E\k^ =PnK , 

C^L =Pn{l-Pn)K . 

Next, df^ is chosen such that, when given /c^, 

E[di\kn] =ynkn , 

It follows that 

^[^%\kj = ^^yn(l - yn)PnK , 



^l[d^|/c^] = {yn?(^l^ = {ynfPn{l-Pn)K . 



Then, 



Cr^s =r'^yn{l -yn)PnK ^ {ynfPnO^ - Pn)K . 

When given d^, the distribution for d^f satisfies 
Therefore, 



'^%.eue =9n(l-9n)^n- 



2 _ / m2 2 

E[al^s^^s] = Qni^ - Qn)ynPnK . 

Also, 

^dl;^ = ^^nf^h + ^'rii'^ ~ Qn)ynPnK 

= (<?n)^[^^^n(l - yn)PnK ^ {ynfpni'^ - Pn)K]^ 

-^ Qni^ - Qn)ynPnK 

= [(r^ - l)g;(l - yn) + (1 - (tynPnWnynPnK . 

The first term on the rhs vanishes when r = 1. The 
second term is 

(1 - QnynPn)qnynPnK = (1 - q'ynP^^ )q'ynP^^ K , 

SO that 



n>0 



n>0 



for r = 1. Moreover, since X]^>o[^nPnT ^ Y{ii') <C 1, 
then 

Y,al,s^q^Y{^i'){l-Y{^i'))K, 

n>0 

which shows that the case discussed in Sec. [llj i.e. the 
i.i.d. assumption, corresponds to choosing r = 1 in this 
case. 



Appendix B: ChernofF bound 



Chernoff 's bound [T^ sets a bound on the probabilities 
of "rare" events as a function of the standard deviation 
of the corresponding distribution. More precisely, we let 
Xi,X2, . . . ,Xn be a set of i.i.d. random variables that 
satisfy \Xj\ < 1 and define X = V . Xj. A general ver- 
sion of Chernoff 's bound implies 



Pr[X > E[X]^ ccr] < exp{-cV4} , 



(Bl) 



where a = n^/^ ^E[{Xj)'^] - {E[Xj]y is the standard de- 
viation. For the special case of the binomial distribution 
where Xj = 1 with probability a and Xj = otherwise, 



a = \/na{l — a) 
E[X] = na , 



and 



Pr[X >k] =Ia{k,n-k^l) 

< exp{-(A: - na)V(4a(l - a)n)} . (B2) 



Here, Ia{k,n — k -\- 1) is the so-called regularized incom- 
plete beta function. To satisfy Pr[X > /c] < e, it suffices 
to choose c such that 



|c|=2v/|loge|. 



(B3) 



Appendix C: Calculations of errors 

If en < (e/12)(l/2)^, then 

^"=EE^- (CI) 

i n 

<3(e/12).2 = e/2 , 

where we considered that three sources i are involved in 
the DSP. 

Chernoff's bound for the binomial distribution 



[Eq. (B2)] implies that 



Cn < 2exp 



(< - Qndn? 



If we set, 



< = hn(dn) = Qndn + Cn\ Q^l - q^d^ 



(C2) 



then 



en <2exp{-4/4}. 



as in E q. ([27| ). Replacing u\ by d^f and d^ by (pi^nid^f) 
in Eq. ( |C2p , and solving the resulting quadratic equation, 
we obtain 



iAdn ) = -Cn\/qi{l -qi)^ 



That is. 



clq'ni^ - q'n) ^ Mid'/ 

qii 2(7j, 



/i^ql^) . 



Cn^cl{l-ql^)[{l-ql^)^Mll 

^q'n 



that yields Eq. (26). Changing c^ -^ —Cn provides the 



upper bound without changing e^, i.e., the confidence 
level. 
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